what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Citrix Workspace App For Linux 2212 Credential Leak

Citrix Workspace App For Linux 2212 Credential Leak
Posted Jan 17, 2023
Authored by Russell Howe | Site github.com

The Citrix Linux client emits its session credentials when starting a Citrix session. These credentials end up being recorded in the client's system log. Citrix does not consider this to be a security vulnerability. Citrix Workspace App for Linux versions 2212 is affected.

tags | exploit, info disclosure
systems | linux
SHA-256 | 7dcc2aa9372419c9c8a42274ec03367e8a37d4902ba8905cc51d86c2effbdbaa

Citrix Workspace App For Linux 2212 Credential Leak

Change Mirror Download
# Citrix Linux client credential leak

The Citrix Linux client emits its session credentials when starting a Citrix
session. These credentials end up being recorded in the client's system log.

Citrix do not consider this to be a security vulnerability.

# Software affected

- Citrix Workspace App for Linux versions 2212.

Other versions are likely affected.

# Context

When connecting to a Citrix session via a web browser such as Firefox on Linux,
typically you access a web application known as Citrix Storefront. This
provides clickable icons for the applications and remote desktop sessions
available to you.

When you click on one of these, your browser is instructed to open a URL of the
form `receiver://.....` which is handled using `/opt/Citrix/ICAClient/util/ctxwebhelper`.
`ctxwebhelper` parses the URL and uses the decoded information to make a HTTP
GET request to the remote server for an 'ica' file, which contains the
connection details necessary to launch the Citrix client software,
`/opt/Citrix/ICAClient/wfica`.

The ICA file contains details such as the server hostname and temporary session
credentials needed to authenticate the session.

# The issue

When making the GET request to retrieve the ICA file, `ctxwebhelper` echos the
full HTTP response (headers & body) to standard output, which ends up feeding
into journald and then into the system log files.

This can be demonstrated by connecting to a Citrix session and running:

grep receiver\\.desktop.*LogonTicket= /var/log/syslog

which will produce output such as

2023-01-12T11:15:46.816466+00:00 myhostname receiver.desktop[9999]: LogonTicket=1234567890ABCDEF1234567890ABCD

# Vendor response

Citrix responded to my report on 2023-01-05 to say they do not consider this a product vulnerability:

Thank you for bearing with us. We have concluded the security
investigation into the reported issue and determined that the contents
of /var/log/syslog can only be read or written by root user, or a
syslog user or an adm group but not by an unprivileged user. As a
result, we do not consider this finding as a vulnerability in the
product.

We would like to thank you for submitting the finding and helping to
keep Citrix customers safe.

Best Regards,

Citrix Security Response Team

This is short-sighted in my opinion - logs should not be considered safe places
to store credentials, even temporary ones.

# Workaround

Since Citrix do not consider this a vulnerability it seems unlikely this behaviour will change.

You can work around this issue by replacing ctxwebhelper with a wrapper script
that either discards or filters its output.

First, rename `ctxwebhelper`:

mv /opt/Citrix/ICAClient/util/ctxwebhelper /opt/Citrix/ICAClient/util/ctxwebhelper.real

Next, place a script in its place, which first redirects stdout and stderr to /dev/null before executing the real `ctxwebhelper`:

#!/bin/bash
set -eu
exec &>/dev/null
"$(dirname "$0")"/ctxwebhelper.real "$@"

Don't forget to `chmod +x /opt/Citrix/ICAClient/util/ctxwebhelper` after doing this.

This script is available from this repository - see `ctxwebhelper.wrapper`.

Note that this will be overwritten if the Citrix client is reinstalled.

# Timeline

2022-12-11: Issue disclosed to Citrix via email to secure@citrix.com

2022-12-13: Citrix acknowledges receipt of the report, assigns identifier `CASE-8324`.

2023-01-05: Citrix reponds to say they do not consider it a vulnerability.

2023-01-07: Reply to Citrix requesting they reconsider their assessment.

2023-01-14: Public disclosure.

# Author

Russell Howe. [Github](https://github.com/rhowe) [Twitter](https://twitter.com/rhowe212).


ctxwebhelper.wrapper:

#!/bin/bash

# Brexit flags
set -eu

# Ensure stdout and stderr are discarded
exec &>/dev/null

# Execute the real ctxwebhelper
"$(dirname "$0")"/ctxwebhelper.real "$@"
Footer



Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close